Explain Tcpdump and WinDump in Vulnerability Scanning.
1 Answer


  • The tcpdump command is present by default on most Unix-based systems.

  • It is useful in debugging networks and services.

  • Tcpdump is a common packet analyzer that runs under the command line.

  • It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

  • However, its potential for abuse, especially in the era of remote administration via telnet, gave tcpdump a bad reputation.

  • WinDump is the tcpdump command’s counterpart for Windows systems.

  • Tcpdump is primarily a sniffer as opposed to a protocol analyzer.

  • Its filters enable you to extract any combination of network packets, but it doesn’t parse higher- level protocols like HTTP, SNMP, or DNS into more human-readable formats or annotate the traffic.

  • For example, a protocol analyzer would know how to interpret the specific flags, options, and steps for an SSL connection handshake.

  • The sniffer just shows the raw packets.

  • Tcpdump and WinDump both use the packet capture (pcap) library, a set of packet capture routines written by the Lawrence Berkeley National Laboratory.

  • The pcap routines provide the interface and functionality for OS-level packet filtering and disassembling IP packets into raw data.

  • Because WinDump is simply a Windows port of tcpdump, the two commands are mostly interchangeable.

  • The only difference is the name of the network interface to specify for capturing traffic.

  • The tools require privileged user access to capture data.

  • Make sure to execute them with sudo or “Run As Administrator” as appropriate.

  • Another reason tcpdump and WinDump require privileged access is because they put the network interface into promiscuous mode in order to see all traffic across the device.

  • Some network devices such as Ethernet hubs broadcast a packet to all ports on the hub (all hosts connected to the hub) in expectation that only the intended recipient will accept it.

  • The other hosts receive the packet as well, but they ignore it because the packet is not intended for their MAC address.

  • Tcpdump filters control what kinds of traffic the command captures.

  • Filter expressions are defined with the Berkeley Packet Filter (BPF) syntax.

  • Multiple filters may be combined with Boolean operators such as AND, OR, and NOT.

  • The typical format of an expression is a label (representing a packet characteristic) followed by a value:

                      $ tcpdump packet_characteristic value
     - Type Qualifiers is a packet characteristic.
     - The most typical packet qualifiers are the type labels: host, net,
       and port.
     - For example, the following command tells tcpdump we want to see only
       packets to or from
         $ tcpdump host
  • If all we care about is web traffic, we can narrow the filter to the default port for HTTP:

                    $ tcpdump host and port 80
     - The net qualifier captures traffic destined for or originating from  
       any host that matches the filter:
                     $ tcpdump net and port 80
  • Remember that the net qualifier only exposes traffic visible to the sniffer’s network interface.

  • Specifying a network doesn’t automatically make its traffic visible—only network proximity of the sniffer does.

  • Common uses of Tcpdump are as follows:

    • Tcpdump prints the contents of network packets.

    • It can read packets from a network interface card or from a previously created saved packet file.

    • It can write packets to standard output or a file.

    • It is also possible to use tcpdump for the specific purpose of intercepting and displaying the communications of another user or computer.

Please log in to add an answer.